Mitch Pronschinske is a Senior Content Analyst at DZone. That means he writes and searches for the finest developer content in the land so that you don't have to. He often eats peanut butter and bananas, likes to make his own ringtones, enjoys card and board games, and is married to an underwear model. Mitch is a DZone Zone Leader and has posted 2573 posts at DZone. You can read more from them at their website. View Full User Profile

A Passionate Defense of Java's Virtues

01.27.2013
| 6639 views |
  • submit to reddit
Originally authored by John G. Spragge

Well, that was quite a pile on, wasn't it? Just along one thread about the Java™ programming language, we get a number of solid reporters and a couple of "gurus". The reporters explain the facts about the current vulnerability in one Java sub-system; the "gurus" mount an all out attack on Java. I have three observations here:

  1. Blaming a language for the things people express with it amounts to lunacy. Java is an efficient, powerful language; people do things with it. And given the nature of human beings, some people will do bad things. After Bernie Madoff went to jail, nobody suggested the government should take steps to discourage accounting or economics.

  2. In a neighbourhood afflicted by a string of burglaries, the headlines do not read: Locks Fail in Leaside. Every story about an "exploit" should, at least in passing, lay the blame with people who take advantage of that security flaw to harm or extort other people. Journalists need to continually remind us, and themselves, that if we live in the network version of Hobbes's war of all against all, we do so because of choices specific people have made.

  3. On the subject of war: our governments have evidently decided to take their conflicts into our living rooms, work places, children's schools, power plants and hospitals by making "cyber war". Those governments answer to us. I expect the people now hounding Oracle for "security flaws" to at least mention the truth: government preparations to make war on the net don't threaten us because of Java; they threaten us because war is a dangerous habit.


I have a simple plea: let us not lose sight of the many innovations of Java. Working with Java, I and many other programmers first encountered an integrated approach to coding and documentation through JavaDoc. Java offered the first and still some of the best facilities to integrate a flexible programming language and the W3C xml language. Above all, Java integrated the language and support routines, and in the process instituted and enforced coding standards. Languages such as c and c++ have no rules and standards for identifiers: Java does. Any reasonably skilled programmer who knows Java conventions can read a Java application source and have a pretty good chance of understanding it.

With c or c++ or some other language that does not provide a common naming scheme, a programmer must first learn the naming conventions in use, assuming the program has a common set of naming conventions. Java designers also eliminated header files, that separated declaration from implementation and left c and c++ sources fragmented. Java eliminated the distinction between pointers, references, and in-scope object declarations that complicates c++ code. Java offers the simple rational structure of packages, classes and interfaces, and the rule that every public class should have its own source file, and that file should have the name of the class it contains. These simple intuitive rules, coded into the structure of the Java language, did a huge amount to propagate consistently good program design practise. Given the advantages of Java for systems construction, it should surprise nobody that that it powers so much of the web we take for granted.

Java gives the web Apache Tomcat, the Glassfish application server and many other important server-side systems, and its contribution to structuring good system design, much the way Algol and Pascal helped promote the structured programming approach taught by Edsger Dijkstra has helped the growth of the practical computing systems that power the web.

On one level, I simply ask users and decision makers to ignore hysteria, step back, and weigh the advantages of Java against its security problems rationally. It makes sense for people to turn off Java applet interfaces that make computers vulnerable. It makes no sense to try to eliminate the language completely because of a problem in one of its systems. And it makes less than no sense to get rid of Java to prevent intrusions that might cost a few million dollars if the costs of getting rid of this language run into the billions. But whether the calls for the elimination of Java reflect merely frustration with the slow pace at which Oracle hardens the language against intrusions, or whether it reflects the desire of a few writers on security to force programmers and enterprises to do what they have failed to persuade us to do, it is simply unacceptable to ignore the contribution the designers of Java have made.

Reference: http://javainxml.blogspot.com/2013/01/a-passionate-defence-of-javas-virtues.html

Comments

Honey Monster replied on Sun, 2013/01/27 - 4:15am

When a string of burglaries happen all over the world and it turns out that the home builders all used the same lock which is easily opened using a common fork, I expect to see an article title reading: "Common Lock Brand Fails to Keep Burglars Out".

Java has focused on performance and ubiquity and both Sun and Oracle have neglected security for too long. More than half of end user compromises happen through Java plugins now. It is worse than Flash!

Of course the burglars are ultimately responsible for the break-ins, but we bought the homes with the locks installed *trusting* that the locks were up to the task. When it turns out that my home is being targeted specifically because I have that brand of door/lock I pretty damn well *am* going to ask questions and demand action.

It is no use denying Java has *serious* security issues. Just deal with it and don't make excuses.

You may have a point that we owe a lot to Java, e.g. JavaDoc, VM technology etc. But we do not use languages or technologies out of gratitude. Get real. I pick the technologies i use based on where they are today and where I expect them to be tomorrow. I do not continue to use a technology that puts me and my customers at risk just because it served me well 5 years ago!

John J. Franey replied on Sun, 2013/01/27 - 12:09pm in response to: Honey Monster

Honey Master,

Your general comments about tool selection are spot on.

However, I just want to point out the following to help others avoid an over-reaction to your trollish comment:

It is no use denying Java has *serious* security issues. Just deal with it and don't make excuses.


First, you have made known that java is not your selection.  On October 18, 2010 , you said this:

 Sure you see defections to .NET (I am a convert), ....


Second, your identity is hidden. 


Don't think I'm asking you to stop.  Its your choice to spend time anonomously opposing java on a java content site.  

Aleksander Nowinski replied on Wed, 2013/01/30 - 6:30am

 Hmm... Actually I was trying to follow the problem, and I understand that the issue is an long-abandoned, hardly ever used applet plugin for browsers.

But java is now a server-side application mainly now, and up til now I have not heard about serious security bridge in server-side java caused by language. I can understand that 'Java' is a quite fine name to blame, but how crappy applet problems apply to the real, huge server side j2ee applications? I just can't get the connection.

Jeff Du replied on Wed, 2013/01/30 - 7:53am in response to: Aleksander Nowinski

It does not apply to J2EE apps, it only applies to Java running in a browser.

Alex Kashko replied on Wed, 2013/01/30 - 11:27am

Apart from what, according to these replies, is a security non-issue I have worked with Java for 13 years and while appreciating  its virtues ( it is hard to write a bad program in Java but also hard to write a good program)  I am also aware of some of its flaws, for example (others may have other ideas and examples)

1. Overly verbose: I have  had occasions where, simply playing, code in say Python is shorter and clearer than in Java, and recently playing with R  and Erlang I can see that these languages are more concise. Unfortunately they also seem slow.

2. Java IO  has been a mess from day one and I ended writing IO utilities to hide the mess.

3. The same is true  about Java Reflection, though any reflection API is likely to be messy

4) Swing needs a complete overhaul. 

5) Problems such as unpredictable code flow  because of wrong version Jar files  have been largely eliminated with Maven but still exist. 

6) Concurrency is messier than the underlying problem merits.  

Of couse some problems arise because of developers trying to show they are clever or knowledgable ("Hey, I just reached page 347 and found this pattern, let's  mangle the code so I can use it") 


On the other hand

a) The ecology of IDES and Open Source that has grown up around Java means time to deliver can be very short though some frameworks seem over complex (Yes Spring, I am talking about you) but are  pretty  well documented  (Stop trying to pretend you don't exist Ruby on Rails, I  expect to be able to produce a sample webapp from a one page tutorial and then know how to alter the sample app, not have to read a hundred pages  of obfuscated manuals first)

b) Some features like Serialisation are nice and I have fixed simple serialisation issues with a text editor.

c) It does run on any platform

d) Reflection and Enums have saved me hundreds of lines of messy code and let me produce effectively maintenance free code. 





 

David Sachdev replied on Wed, 2013/01/30 - 12:29pm

First...many people are getting java on the browser and java on the server side confused. 

I think that there really aren't that many people developing java in the browser these days, and I even wonder just how many existing java in the browser apps there are.  I'm not talking JSPs here....

People are also getting java and JavaScript confused...please don't help to perpetuate wrong, confusing, or misleading information (a comment to the readers, not the author of this post)


I think the most interesting part here is the Remote Execution in the Spring Framework...and for anyone looking for more details on this, here is a link with detailed info:

https://www.aspectsecurity.com/uploads/downloads/2012/12/Remote-Code-with-Expression-Language-Injection.pdf

http://www.infoworld.com/d/security/major-flaw-in-java-based-spring-framework-allows-remote-code-execution-attackers-211066

https://access.redhat.com/security/cve/CVE-2011-2730


Josef Bajada replied on Wed, 2013/01/30 - 12:47pm

I don't understand the fuss being made on these issues as if its the Y2K bug coming to haunt us again. Security flaws are discovered all the time, from Operating System level, up to Browser level and Application Server level. Its the nature of information security and the way software is developed in general.

I get a security update on my Windows 7 installation from Microsoft at least once a month (often once a week!). In December alone Microsoft issued 7 security updates for its products. Adobe Flash player (which is a much more popular browser plugin than the Java Applet!) has been plagued with security issues over its long prosperous life, with the latest update last December flagged by Sophos as critical because it allows attackers to execute arbitrary code. Wordpress (which powers a huge percentage of corporate websites, not just blogs) just issued a 3.5.1 update  a few days ago which includes fixes for security vulnerabilities related to cross side scripting (which does not mean that the PHP language is flawed!) Why isn't a fuss being made on these issues each week?

For all the readers and commenters deviating from the core issue here, yes, Java is not good for desktop applications. Its clunky and its ugly. Apart from the Java IDEs and similar dev tools like SoapUI I don't think I have any other application written in Java installed on my Desktop PC. Java Applets never took off because of a superior alternative - Adobe Flash, despite recent JavaFX efforts. They (together with Silverlight) will eventually succumb to HTML5, so once again what's the fuss about Java Applets? The Spring vulnerability, which seems to have less media coverage is actually more serious because Spring is used much more. But then again, we get security flaws and updates for them every day!

I do not choose Java from a language cleanliness point of view. Its the framework, the fact that it runs on all platforms without issues, and the availability of so many high quality APIs for everything, which are often standardized through a community process, from Document Management to Telecommunications Interfaces (I'd like to see some .Net alternative to this!).

Java EE and its related suite of technologies (Spring, Hibernate, CXF, Drools, ActiveMQ, Terracotta, Logback etc.) are superior to all other technology stacks for the enterprise, especially for the fact that most of them are open source, and tried and tested by thousands of people. You will also get the occasional security flaw here and there just like everything else, no argument about it, but the fact is that the technology stack is far superior than any of the other admissable candidates when it comes to enterprise application development.

Is it complicated? Yes, there is a learning curve (still not steep as C++ or some cryptic Ruby iteration syntax) but hell you are supposed to be building an enterprise application where you care about performance, scalability and all that stuff. Some of the complexity comes from the fact that the designers of most frameworks value the need for openness and having choice when selecting the implementation of each layer, unlike .Net where everything is closed and mandated by Microsoft. 

If you are just building a simple website with some dynamic content use something like PHP  you'll get there much faster, thats what I do too because it has a great API and a huge user community. When you think you need to invest in scalability, resource pooling, multi-threading, asynchronous I/O, interprocess message queuing, portability, distributed transactions and out of the box configurable logging etc. then a Java-based technology stack is the only candidate that ticks all the boxes (especially if you want everything open source), but be prepared to spend time to learn it properly.


Dean Sands replied on Wed, 2013/01/30 - 6:53pm

 Lovely, lovely. Can we have unsigned integers now?

Josef Bajada replied on Wed, 2013/01/30 - 7:04pm in response to: Dean Sands

No, introducing them would be insecure :)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.